The Information Commissioner’s Office said the app may have processed the data of children under 13 without ‘appropriate parental consent’.
TikTok may be fined £27m in the UK for failing to protect the privacy of children on its platform.
The Information Commissioner’s Office (ICO) issued a notice of intent to TikTok today (26 September), announcing its provisional view that the company may have breached UK data protection law.
Following an investigation, the country’s privacy regulator found that the popular app may have processed the data of children under the age of 13 without “appropriate parental consent” and failed to provide proper information to users in a “concise, transparent and easily understood way”.
It also said TikTok may have processed special category data “without legal grounds to do so”. Special category data covers areas such as race, religion, political beliefs and sexual orientation.
The ICO noted that the findings are “provisional”, and that “no conclusions should been drawn” that there has been any breach of data protection law or that a fine will ultimately be imposed.
“We all want children to be able to learn and experience the digital world, but with proper data privacy protections,” said information commissioner John Edwards.
“Companies providing digital services have a legal duty to put those protections in place, but our provisional view is that TikTok fell short of meeting that requirement.”
The ICO will consider any input from TikTok before making a final decision. The company now has 30 days to respond.
The social media giant said that it disagrees with the ICO’s provisional decision.
“While we respect the ICO’s role in safeguarding privacy in the UK, we disagree with the preliminary views expressed and intend to formally respond to the ICO in due course,” a TikTok spokesperson told SiliconRepublic.com.
Companies that breach the UK’s implementation of the GDPR can be fined up to £17.5m or 4pc of the company’s global annual turnover, whichever is greater.
“I’ve been clear that our work to better protect children online involves working with organisations but will also involve enforcement action where necessary,” Edwards went on.
“We are currently looking into how over 50 different online services are conforming with the Children’s code and have six ongoing investigations looking into companies providing digital services who haven’t, in our initial view, taken their responsibilities around child safety seriously enough.”
Earlier this month, Ireland’s Data Protection Commission fined Instagram €405m for GDPR breaches, including violating children’s privacy.
10 things you need to know direct to your inbox every weekday. Sign up for the Daily Brief, Silicon Republic’s digest of essential sci-tech news.